Professional Documents
Culture Documents
Changed focus & moved into the SIM space around 2004-2005
Retention Limits
Correlated/Offense alerts
All other retention
settings (events, flows,
etc.)
Real-time Views
Log and network history
Correlation/Offense
activity
HP ArcSight
IBM Qradar
~350
~45 (CEF)
~180
~14 (LEEF/AXIS)
Hours/Days
Yes
Yes
Weeks/Months
No, XML development required
No, must develop from scratch
Unlimited
Unlimited
Unlimited
3 Days
1 Week
1 Week
Unlimited
Unlimited
Unlimited
Unlimited
Last 7 days
1 month
Data
Loss
Product restarts
Network outage
Event spikes
License limits exceeded
Windows collection
Encryption
Encrypted transport
Research-based Reputation
Research intelligence
Bandwidth Management
Caching
Batching
Filtering
Aggregation
Compression
Events
Events
Events
Access
IBM Qradar
Events dropped
Events dropped
Short buffer, then events
dropped
Events dropped
Syslog/udp transport,
unreliable, events will drop
Yes, by default
IBM Qradar
Yes
Workflow
Integrated workflow
Yes
No
Case Management
Integrated case management
Yes
No
Normalization
Normalized collection
Identity-based activity
tracking
Identity Management (IdM)
integration
Analysis
Speed of thought drilldown
State-based, session
correlation
Ability to remove entries
Ability to age out
entries
Multiple fields tracked
Ability to view entries
Anomalous pattern detection
Anomaly correlation
HP ArcSight
IBM Qradar
Yes
No
No
No
Single field only
No
No
Unlimited
Any custom log source their framework for getting non-standard logs (not syslog based) will
require a lot of internal working and configuration. Anything that is syslog based will require a lot of
messing around.
-
Sophisticated correlation their correlation engine is relatively simple so anything that is more than
simple aggregation will be relatively difficult for them.
Anything that leverages lists (active or session) will be a massive win for ArcSight. They have lists,
but they cannot update or add / remove from a list. So building sophisticated use cases will be VERY
difficult and they will rely on very complex logic (and time sequencing will be tough for them).
(1) open a case if there are more than 10 failed logins for an account within a day
(2) if there is at least one successful login before reaching 10 failed logins, then reset the "failed login"
counter and start again counting from zero
A LEADER for 10 consecutive years, while others have appeared and disappeared
Gartner recognizes HPs vision through ops-analytics, integrating SIEM and IT Ops
Other, 42.2%
IBM, 13.0%
McAfee, 3.4%
EMC, 9.3%
NetlQ, 8.5%
11
Effectiveness Matters
SANS, CERT, NIST, OSVDB, software, and reputation vendors
Ecosystem
partner
~3000 researchers
ESS
Thought leadership
Note: All figures are rounded. The base year is 2012. Source: Frost & Sullivan
Secunia
US-CERT
Verisign
iDefense
High-Tech
Bridge
IBM ISS
VUPEN Security
Public Vulnerability Research Market: Business Application Vulnerabilities by Reporting Source, Global,
2012
Proactive Protection
t1
Vulnerability
Is found
t2
Exploit-Code is
In-The-Wild
t3
Software Vendor
releases Patch
t4
Patch Rollout
2012
2011
100
2010
2009
50
2008
2007
2006